RBAC Outliers

The RBAC Analyzer goes beyond identifying patterns and constructing roles; it also plays a crucial role in detecting potential risks or anomalies within the organization's access control landscape. These anomalies, referred to as "outliers," the list of identities that cannot be grouped into any of the BalkanID generated roles.

The RBAC Analyzer identifies and categorizes outliers into the following types:

1. Exclusive Portfolio Outliers: These outliers denote a connection or a group of connections assigned to an individual employee that deviates from the typical access patterns observed within their peer group. Exclusive Portfolio outliers can be further classified into two subtypes:

1. 1:1 Exclusive Portfolio Outliers: This scenario occurs when only one employee has access to a specific connection across the entire organization. Such outliers may raise questions about the necessity of such access, potential mistakes, or whether it is required for specific testing or evaluation purposes.

2. 1:M Exclusive Portfolio Outliers: This subtype arises when a single employee has access to multiple unique connections that are uncommon across the organization. These outliers may indicate irregular entitlements, access privileges accumulated over time, potential mistakes, or even malicious activities.

2. Below Threshold Outliers: These outliers indicate rare access to a role generated by BalkanID. If a role does not hold significant importance for a particular job title or department, only a few people will have access to it. To identify these non-significant roles, the RBAC Analyzer establishes a threshold. Any role with an access level below this threshold is labeled as a "below-threshold outlier," warranting further investigation.

3. No Job Title Outliers: These outliers highlight employees who do not have a job title assigned within the organization's records. As a result, the RBAC Analyzer is unable to assign any BalkanID generated roles to these employees, as job titles are a crucial factor in determining appropriate access privileges.

4. No Department Outliers: Similar to the "No Job Title Outliers," these outliers indicate employees who do not have a department assigned within the organization's records. Without departmental information, the RBAC Analyzer cannot accurately assign BalkanID generated roles, as department affiliation is another essential factor in determining access requirements.

The Outliers page in the RBAC Analyzer provides a comprehensive list of identities that could not be assigned a BalkanID generated role, along with the reasons for this exclusion in the outlier description. It offers powerful filtering capabilities, to quickly identify and investigate irregularities.

By identifying and categorizing these outliers, the RBAC Analyzer provides organizations with valuable insights into potential access control risks, irregularities, or gaps within their access management processes.